<!DOCTYPE html>
<html id="docs" lang="en" class="">
	<head>
	<meta charset="utf-8">
<title>Accessing the API - Kubernetes</title>
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="shortcut icon" type="image/png" href="../../../images/favicon.png">
<link rel="stylesheet" type="text/css" href="../../../css/base_fonts.css">
<link rel="stylesheet" type="text/css" href="../../../css/styles.css">
<link rel="stylesheet" type="text/css" href="https://code.jquery.com/ui/1.12.1/themes/smoothness/jquery-ui.css">
<link rel="stylesheet" type="text/css" href="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.css">
<link rel="stylesheet" type="text/css" href="../../../css/callouts.css">
<link rel="stylesheet" type="text/css" href="../../../css/custom-jekyll/tags.css">




<meta name="description" content="Accessing the API" />
<meta property="og:description" content="Accessing the API" />

<meta property="og:url" content="https://kubernetes.io/docs/reference/access-authn-authz/" />
<meta property="og:title" content="Accessing the API - Kubernetes" />

<script
src="https://code.jquery.com/jquery-3.2.1.min.js"
integrity="sha256-hwg4gsxgFZhOsEEamdOYGBf13FyQuiTwlAQgxVSNgt4="
crossorigin="anonymous"></script>
<script
src="https://code.jquery.com/ui/1.12.1/jquery-ui.min.js"
integrity="sha256-VazP97ZCwtekAsvgPBSUwPFKdrwD3unUfSGVYrahUqU="
crossorigin="anonymous"></script>
<script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js"></script>
<script src="https://cdnjs.cloudflare.com/ajax/libs/sweetalert/1.1.3/sweetalert.min.js"></script>
<script src="../../../js/script.js"></script>
<script src="../../../js/custom-jekyll/tags.js"></script>


	</head>
	<body>
		<div id="cellophane" onclick="kub.toggleMenu()"></div>

<header>
    <a href="../../../index.html" class="logo"></a>

    <div class="nav-buttons" data-auto-burger="primary">
        <ul class="global-nav">
            
            
            <li><a href="../../home.1">Documentation</a></li>
            
            <li><a href="../../../blog/index.html">Blog</a></li>
            
            <li><a href="../../../partners/index.html">Partners</a></li>
            
            <li><a href="../../../community/index.html">Community</a></li>
            
            <li><a href="../../../case-studies/index.html">Case Studies</a></li>
            
            
             <li>
                <a href="index.html#">
                    English <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="../../../zh/index.html">中文 Chinese</a></li>
                
                    <li><a href="../../../ko/index.html">한국어 Korean</a></li>
                
                </ul>
            </li>
         
            <li>
                <a href="index.html#">
                    v1.11 <span class="ui-icon ui-icon-carat-1-s"></span>
                </a>
                <ul>
                
                    <li><a href="https://kubernetes.io">v1.12</a></li>
                
                    <li><a href="../../../index.html">v1.11</a></li>
                
                    <li><a href="https://v1-10.docs.kubernetes.io">v1.10</a></li>
                
                    <li><a href="https://v1-9.docs.kubernetes.io">v1.9</a></li>
                
                </ul>
            </li>
        </ul>
        
        <a href="../../tutorials/kubernetes-basics/index.html" class="button" id="tryKubernetes" data-auto-burger-exclude>Try Kubernetes</a>
        <button id="hamburger" onclick="kub.toggleMenu()" data-auto-burger-exclude><div></div></button>
    </div>

    <nav id="mainNav">
        <main data-auto-burger="primary">
        <div class="nav-box">
            <h3><a href="../../tutorials/stateless-application/hello-minikube/index.html">Get Started</a></h3>
            <p>Ready to get your hands dirty? Build a simple Kubernetes cluster that runs "Hello World" for Node.js.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../home.1">Documentation</a></h3>
            <p>Learn how to use Kubernetes with the use of walkthroughs, samples, and reference documentation. You can even <a href="../../../editdocs/index.html" data-auto-burger-exclude>help contribute to the docs</a>!</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../community/index.html">Community</a></h3>
            <p>If you need help, you can connect with other Kubernetes users and the Kubernetes authors, attend community events, and watch video presentations from around the web.</p>
        </div>
        <div class="nav-box">
            <h3><a href="../../../blog/index.html">Blog</a></h3>
            <p>Read the latest news for Kubernetes and the containers space in general, and get technical how-tos hot off the presses.</p>
        </div>
        </main>
        <main data-auto-burger="primary">
        <div class="left">
            <h5 class="github-invite">Interested in hacking on the core Kubernetes code base?</h5>
            <a href="https://github.com/kubernetes/kubernetes" class="button" data-auto-burger-exclude>View On Github</a>
        </div>

        <div class="right">
            <h5 class="github-invite">Explore the community</h5>
            <div class="social">
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>Twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
        </div>
        <div class="clear" style="clear: both"></div>
        </main>
    </nav>
</header>

		
		
		<section id="hero" class="light-text no-sub">
			















<h1>Reference Documentation</h1>
<h5></h5>


<div id="vendorStrip" class="light-text">
	<ul>
		
		
		<li><a href="../../home.1">DOCUMENTATION</a></li>
		
		
		<li><a href="../../setup/index.html">SETUP</a></li>
		
		
		<li><a href="../../concepts/index.html">CONCEPTS</a></li>
		
		
		<li><a href="../../tasks/index.html">TASKS</a></li>
		
		
		<li><a href="../../tutorials/index.html">TUTORIALS</a></li>
		
		
		<li><a href="../../reference.1" class="YAH">REFERENCE</a></li>
		
	</ul>
	<div id="searchBox">
		<input type="text" id="search" placeholder="Search" onkeydown="if (event.keyCode==13) window.location.replace('/docs/search/?q=' + this.value)" autofocus="autofocus">
	</div>
</div>

		</section>
		
		
<section id="deprecationWarning">
  <main>
    <div class="content deprecation-warning">
      <h3>
        Documentation for Kubernetes v1.11 is no longer actively maintained. The version you are currently viewing is a static snapshot.
        For up-to-date documentation, see the <a href="https://kubernetes.io/docs/home/">latest</a> version.
      </h3>
    </div>
  </main>
</section>


		<section id="encyclopedia">
			
<div id="docsToc">
     <div class="pi-accordion">
    	
        
        
        
        
        
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
             
         
             
                 
                          
                          
                 
             
         
             
         
         
        
        <a class="item" data-title="Reference" href="../../reference.1"></a>

	
	
		
		
<a class="item" data-title="Standardized Glossary" href="../glossary/index.html"></a>

		
	
		
		
	<div class="item" data-title="Kubernetes Issues and Security">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes Issue Tracker" href="../issues-security/issues/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Security and Disclosure Information" href="../issues-security/security/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Using the Kubernetes API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Kubernetes API Overview" href="../using-api/api-overview/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes API Concepts" href="../using-api/api-concepts/index.html"></a>

		
	
		
		
<a class="item" data-title="Client Libraries" href="../using-api/client-libraries/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubernetes Deprecation Policy" href="../deprecation-policy.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Accessing the API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Controlling Access to the Kubernetes API" href="../../admin/accessing-the-api.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating" href="../../admin/authentication.1"></a>

		
	
		
		
<a class="item" data-title="Authenticating with Bootstrap Tokens" href="../../admin/bootstrap-tokens/index.html"></a>

		
	
		
		
<a class="item" data-title="Using Admission Controllers" href="admission-controllers"></a>

		
	
		
		
<a class="item" data-title="Dynamic Admission Control" href="../../admin/extensible-admission-controllers.md"></a>

		
	
		
		
<a class="item" data-title="Managing Service Accounts" href="../../admin/service-accounts-admin/index.html"></a>

		
	
		
		
<a class="item" data-title="Authorization Overview" href="../../admin/authorization/index.html"></a>

		
	
		
		
<a class="item" data-title="Using RBAC Authorization" href="../../admin/authorization/rbac.1"></a>

		
	
		
		
<a class="item" data-title="Using ABAC Authorization" href="abac/index.html"></a>

		
	
		
		
<a class="item" data-title="Using Node Authorization" href="../../admin/authorization/node/index.html"></a>

		
	
		
		
<a class="item" data-title="Webhook Mode" href="../../admin/authorization/webhook/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="API Reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Well-Known Labels, Annotations and Taints" href="../kubernetes-api/labels-annotations-taints/index.html"></a>

		
	
		
		
<a class="item" data-title="v1.11" href="../kubernetes-api/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Federation API">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="extensions/v1beta1 Model Definitions" href="../federation/extensions/v1beta1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="extensions/v1beta1 Operations" href="../federation/extensions/v1beta1/operations/index.html"></a>

		
	
		
		
<a class="item" data-title="v1 Model Definitions" href="../federation/v1/definitions.1"></a>

		
	
		
		
<a class="item" data-title="v1 Operations" href="../federation/v1/operations/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Setup tools reference">
		<div class="container">
		
		
	
	
		
		
	<div class="item" data-title="Kubeadm">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Overview of kubeadm" href="../generated/kubeadm/index.html"></a>

		
	
		
		
<a class="item" data-title="kubeadm init" href="../setup-tools/kubeadm/kubeadm-init.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm join" href="../setup-tools/kubeadm/kubeadm-join.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm upgrade" href="../setup-tools/kubeadm/kubeadm-upgrade.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm config" href="../setup-tools/kubeadm/kubeadm-config.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm reset" href="../setup-tools/kubeadm/kubeadm-reset.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm token" href="../setup-tools/kubeadm/kubeadm-token.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm version" href="../setup-tools/kubeadm/kubeadm-version.1"></a>

		
	
		
		
<a class="item" data-title="kubeadm alpha" href="../setup-tools/kubeadm/kubeadm-alpha.1"></a>

		
	
		
		
<a class="item" data-title="Implementation details" href="../setup-tools/kubeadm/implementation-details/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubefed">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="kubefed" href="../../admin/kubefed/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed options" href="../setup-tools/kubefed/kubefed-options/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed init" href="../../admin/kubefed_init/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed join" href="../setup-tools/kubefed/kubefed-join/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed unjoin" href="../../admin/kubefed_unjoin/index.html"></a>

		
	
		
		
<a class="item" data-title="kubefed version" href="../setup-tools/kubefed/kubefed-version/index.html"></a>

		
	

		</div>
	</div>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="Command line tools reference">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="Feature Gates" href="../command-line-tools-reference/feature-gates/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-apiserver" href="../../admin/federation-apiserver/index.html"></a>

		
	
		
		
<a class="item" data-title="federation-controller-manager" href="../../admin/federation-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="Kubelet authentication/authorization" href="../../admin/kubelet-authentication-authorization.1"></a>

		
	
		
		
<a class="item" data-title="TLS bootstrapping" href="../command-line-tools-reference/kubelet-tls-bootstrapping/index.html"></a>

		
	
		
		
<a class="item" data-title="cloud-controller-manager" href="../command-line-tools-reference/cloud-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-apiserver" href="../../admin/kube-apiserver.1"></a>

		
	
		
		
<a class="item" data-title="kube-controller-manager" href="../generated/kube-controller-manager/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-proxy" href="../../admin/kube-proxy/index.html"></a>

		
	
		
		
<a class="item" data-title="kube-scheduler" href="../../admin/kube-scheduler/index.html"></a>

		
	
		
		
<a class="item" data-title="kubelet" href="../../admin/kubelet.1"></a>

		
	

		</div>
	</div>

		
	
		
		
	<div class="item" data-title="kubectl CLI">
		<div class="container">
		
		
	
	
		
		
<a class="item" data-title="JSONPath Support" href="../kubectl/jsonpath.1"></a>

		
	
		
		
<a class="item" data-title="Overview of kubectl" href="../../user-guide/kubectl-overview.1"></a>

		
	
		
		
<a class="item" data-title="kubectl" href="../../user-guide/kubectl/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Cheat Sheet" href="../../user-guide/kubectl-cheatsheet"></a>

		
	
		
		
<a class="item" data-title="kubectl Commands" href="../kubectl/kubectl-cmds/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl Usage Conventions" href="../kubectl/conventions/index.html"></a>

		
	
		
		
<a class="item" data-title="kubectl for Docker Users" href="../kubectl/docker-cli-to-kubectl/index.html"></a>

		
	

		</div>
	</div>

		
	
		
		
<a class="item" data-title="Tools" href="../tools/index.html"></a>

		
	






     </div> 
    <button class="push-menu-close-button" onclick="kub.toggleToc()"></button>
</div> 

			<div id="docsContent">
				
	 
    
    
    <p><a href="../../editdocs#docs/reference/access-authn-authz/controlling-access.md" id="editPageButton">Edit This Page</a></p>

<h1>Controlling Access to the Kubernetes API</h1>



<p>This page provides an overview of controlling access to the Kubernetes API.</p>









<ul id="markdown-toc">










<li><a href="index.html#transport-security">Transport Security</a></li>




<li><a href="index.html#authentication">Authentication</a></li>




<li><a href="index.html#authorization">Authorization</a></li>




<li><a href="index.html#admission-control">Admission Control</a></li>




<li><a href="index.html#api-server-ports-and-ips">API Server Ports and IPs</a></li>



















</ul>


<p>Users <a href="../../concepts/cluster-administration/access-cluster/index.html">access the API</a> using <code>kubectl</code>,
client libraries, or by making REST requests.  Both human users and
<a href="../../user-guide/service-accounts">Kubernetes service accounts</a> can be
authorized for API access.
When a request reaches the API, it goes through several stages, illustrated in the
following diagram:</p>

<p><img src="../../../images/docs/admin/access-control-overview.svg" alt="Diagram of request handling steps for Kubernetes API request" /></p>

<h2 id="transport-security">Transport Security</h2>

<p>In a typical Kubernetes cluster, the API serves on port 443.
The API server presents a certificate. This certificate is
often self-signed, so <code>$USER/.kube/config</code> on the user&rsquo;s machine typically
contains the root certificate for the API server&rsquo;s certificate, which when specified
is used in place of the system default root certificate.  This certificate is typically
automatically written into your <code>$USER/.kube/config</code> when you create a cluster yourself
using <code>kube-up.sh</code>.  If the cluster has multiple users, then the creator needs to share
the certificate with other users.</p>

<h2 id="authentication">Authentication</h2>

<p>Once TLS is established, the HTTP request moves to the Authentication step.
This is shown as step <strong>1</strong> in the diagram.
The cluster creation script or cluster admin configures the API server to run
one or more Authenticator Modules.
Authenticators are described in more detail <a href="../../admin/authentication/index.html">here</a>.</p>

<p>The input to the authentication step is the entire HTTP request, however, it typically
just examines the headers and/or client certificate.</p>

<p>Authentication modules include Client Certificates, Password, and Plain Tokens,
Bootstrap Tokens, and JWT Tokens (used for service accounts).</p>

<p>Multiple authentication modules can be specified, in which case each one is tried in sequence,
until one of them succeeds.</p>

<p>On GCE, Client Certificates, Password, Plain Tokens, and JWT Tokens are all enabled.</p>

<p>If the request cannot be authenticated, it is rejected with HTTP status code 401.
Otherwise, the user is authenticated as a specific <code>username</code>, and the user name
is available to subsequent steps to use in their decisions.  Some authenticators
also provide the group memberships of the user, while other authenticators
do not.</p>

<p>While Kubernetes uses <code>usernames</code> for access control decisions and in request logging,
it does not have a <code>user</code> object nor does it store usernames or other information about
users in its object store.</p>

<h2 id="authorization">Authorization</h2>

<p>After the request is authenticated as coming from a specific user, the request must be authorized. This is shown as step <strong>2</strong> in the diagram.</p>

<p>A request must include the username of the requester, the requested action, and the object affected by the action. The request is authorized if an existing policy declares that the user has permissions to complete the requested action.</p>

<p>For example, if Bob has the policy below, then he can read pods only in the namespace <code>projectCaribou</code>:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
    <span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;abac.authorization.kubernetes.io/v1beta1&#34;</span>,
    <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;Policy&#34;</span>,
    <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {
        <span style="color:#008000;font-weight:bold">&#34;user&#34;</span>: <span style="color:#b44">&#34;bob&#34;</span>,
        <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;projectCaribou&#34;</span>,
        <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;pods&#34;</span>,
        <span style="color:#008000;font-weight:bold">&#34;readonly&#34;</span>: <span style="color:#a2f;font-weight:bold">true</span>
    }
}</code></pre></div>
<p>If Bob makes the following request, the request is authorized because he is allowed to read objects in the <code>projectCaribou</code> namespace:</p>
<div class="highlight"><pre style="background-color:#f8f8f8;-moz-tab-size:4;-o-tab-size:4;tab-size:4"><code class="language-json" data-lang="json">{
  <span style="color:#008000;font-weight:bold">&#34;apiVersion&#34;</span>: <span style="color:#b44">&#34;authorization.k8s.io/v1beta1&#34;</span>,
  <span style="color:#008000;font-weight:bold">&#34;kind&#34;</span>: <span style="color:#b44">&#34;SubjectAccessReview&#34;</span>,
  <span style="color:#008000;font-weight:bold">&#34;spec&#34;</span>: {
    <span style="color:#008000;font-weight:bold">&#34;resourceAttributes&#34;</span>: {
      <span style="color:#008000;font-weight:bold">&#34;namespace&#34;</span>: <span style="color:#b44">&#34;projectCaribou&#34;</span>,
      <span style="color:#008000;font-weight:bold">&#34;verb&#34;</span>: <span style="color:#b44">&#34;get&#34;</span>,
      <span style="color:#008000;font-weight:bold">&#34;group&#34;</span>: <span style="color:#b44">&#34;unicorn.example.org&#34;</span>,
      <span style="color:#008000;font-weight:bold">&#34;resource&#34;</span>: <span style="color:#b44">&#34;pods&#34;</span>
    }
  }
}</code></pre></div>
<p>If Bob makes a request to write (<code>create</code> or <code>update</code>) to the objects in the <code>projectCaribou</code> namespace, his authorization is denied. If Bob makes a request to read (<code>get</code>) objects in a different namespace such as <code>projectFish</code>, then his authorization is denied.</p>

<p>Kubernetes authorization requires that you use common REST attributes to interact with existing organization-wide or cloud-provider-wide access control systems. It is important to use REST formatting because these control systems might interact with other APIs besides the Kubernetes API.</p>

<p>Kubernetes supports multiple authorization modules, such as ABAC mode, RBAC Mode, and Webhook mode. When an administrator creates a cluster, they configured the authorization modules that should be used in the API server. If more than one authorization modules are configured, Kubernetes checks each module, and if any module authorizes the request, then the request can proceed. If all of the modules deny the request, then the request is denied (HTTP status code 403).</p>

<p>To learn more about Kubernetes authorization, including details about creating policies using the supported authorization modules, see <a href="../../admin/authorization/index.html">Authorization Overview</a>.</p>

<h2 id="admission-control">Admission Control</h2>

<p>Admission Control Modules are software modules that can modify or reject requests.
In addition to the attributes available to Authorization Modules, Admission
Control Modules can access the contents of the object that is being created or updated.
They act on objects being created, deleted, updated or connected (proxy), but not reads.</p>

<p>Multiple admission controllers can be configured.  Each is called in order.</p>

<p>This is shown as step <strong>3</strong> in the diagram.</p>

<p>Unlike Authentication and Authorization Modules, if any admission controller module
rejects, then the request is immediately rejected.</p>

<p>In addition to rejecting objects, admission controllers can also set complex defaults for
fields.</p>

<p>The available Admission Control Modules are described <a href="../../admin/admission-controllers/index.html">here</a>.</p>

<p>Once a request passes all admission controllers, it is validated using the validation routines
for the corresponding API object, and then written to the object store (shown as step <strong>4</strong>).</p>

<h2 id="api-server-ports-and-ips">API Server Ports and IPs</h2>

<p>The previous discussion applies to requests sent to the secure port of the API server
(the typical case).  The API server can actually serve on 2 ports:</p>

<p>By default the Kubernetes API server serves HTTP on 2 ports:</p>

<ol>
<li><p><code>Localhost Port</code>:</p>

<ul>
<li>is intended for testing and bootstrap, and for other components of the master node
(scheduler, controller-manager) to talk to the API</li>
<li>no TLS</li>
<li>default is port 8080, change with <code>--insecure-port</code> flag.</li>
<li>default IP is localhost, change with <code>--insecure-bind-address</code> flag.</li>
<li>request <strong>bypasses</strong> authentication and authorization modules.</li>
<li>request handled by admission control module(s).</li>
<li>protected by need to have host access</li>
</ul></li>

<li><p><code>Secure Port</code>:</p>

<ul>
<li>use whenever possible</li>
<li>uses TLS.  Set cert with <code>--tls-cert-file</code> and key with <code>--tls-private-key-file</code> flag.</li>
<li>default is port 6443, change with <code>--secure-port</code> flag.</li>
<li>default IP is first non-localhost network interface, change with <code>--bind-address</code> flag.</li>
<li>request handled by authentication and authorization modules.</li>
<li>request handled by admission control module(s).</li>
<li>authentication and authorization modules run.</li>
</ul></li>
</ol>

<p>When the cluster is created by <code>kube-up.sh</code>, on Google Compute Engine (GCE),
and on several other cloud providers, the API server serves on port 443.  On
GCE, a firewall rule is configured on the project to allow external HTTPS
access to the API. Other cluster setup methods vary.</p>













    
    

				<div class="issue-button-container">
					<p><a href="index.html"><img src="https://kubernetes-site.appspot.com/UA-36037335-10/GitHub/docs/reference/access-authn-authz/_index.md?pixel" alt="Analytics" /></a></p>
					
					
					<script type="text/javascript">
					PDRTJS_settings_8345992 = {
					"id" : "8345992",
					"unique_id" : "\/docs\/reference\/access-authn-authz\/",
					"title" : "Accessing the API",
					"permalink" : "https:\/\/kubernetes.io\/docs\/reference\/access-authn-authz\/"
					};
					(function(d,c,j){if(!document.getElementById(j)){var pd=d.createElement(c),s;pd.id=j;pd.src=('https:'==document.location.protocol)?'https://polldaddy.com/js/rating/rating.js':'http://i0.poll.fm/js/rating/rating.js';s=document.getElementsByTagName(c)[0];s.parentNode.insertBefore(pd,s);}}(document,'script','pd-rating-js'));
					</script>
					<a href="index.html" onclick="window.open('https://github.com/kubernetes/website/issues/new?title=Issue%20with%20' +
					'k8s.io'+window.location.pathname)" class="button issue">Create an Issue</a>
					
					
					
					<a href="../../editdocs#docs/reference/access-authn-authz/_index.md" class="button issue">Edit this Page</a>
					
				</div>
			</div>
		</section>
		<footer>
    <main class="light-text">
        <nav>
            
            
            
            <a href="../../home.1">Documentation</a>
            
            <a href="../../../blog/index.html">Blog</a>
            
            <a href="../../../partners/index.html">Partners</a>
            
            <a href="../../../community/index.html">Community</a>
            
            <a href="../../../case-studies/index.html">Case Studies</a>
            
        </nav>
        <div class="social">
            <div>
                <a href="https://twitter.com/kubernetesio" class="twitter"><span>twitter</span></a>
                <a href="https://github.com/kubernetes/kubernetes" class="github"><span>Github</span></a>
                <a href="http://slack.k8s.io/" class="slack"><span>Slack</span></a>
            </div>
            <div>
                <a href="http://stackoverflow.com/questions/tagged/kubernetes" class="stack-overflow"><span>Stack Overflow</span></a>
                <a href="https://discuss.kubernetes.io" class="mailing-list"><span>Forum</span></a>
                <a href="https://calendar.google.com/calendar/embed?src=nt2tcnbtbied3l6gi2h29slvc0%40group.calendar.google.com" class="calendar"><span>Events Calendar</span></a>
            </div>
            <div>
                <a href="../../getting-started-guides/index.html" class="button">Get Kubernetes</a>
                <a href="https://git.k8s.io/community/contributors/guide" class="button">Contribute</a>
            </div>
        </div>
        <div id="miceType" class="center">
            &copy; 2018 The Kubernetes Authors | Documentation Distributed under <a href="https://git.k8s.io/website/LICENSE" class="light-text">CC BY 4.0</a>
        </div>
        <div id="miceType" class="center">
            Copyright &copy; 2018 The Linux Foundation&reg;. All rights reserved. The Linux Foundation has registered trademarks and uses trademarks. For a list of trademarks of The Linux Foundation, please see our <a href="https://www.linuxfoundation.org/trademark-usage" class="light-text">Trademark Usage page</a>
        </div>
    </main>
</footer>

		<button class="flyout-button" onclick="kub.toggleToc()"></button>

<script>
(function(i,s,o,g,r,a,m){i['GoogleAnalyticsObject']=r;i[r]=i[r]||function(){
    (i[r].q=i[r].q||[]).push(arguments)},i[r].l=1*new Date();a=s.createElement(o),
m=s.getElementsByTagName(o)[0];a.async=1;a.src=g;m.parentNode.insertBefore(a,m)
})(window,document,'script','//www.google-analytics.com/analytics.js','ga');
ga('create', 'UA-36037335-10', 'auto');
ga('send', 'pageview');


(function () {
    window.addEventListener('DOMContentLoaded', init)

        
        function init() {
            window.removeEventListener('DOMContentLoaded', init)
                hideNav()
        }

    function hideNav(toc){
        if (!toc) toc = document.querySelector('#docsToc')
        if (!toc) return
            var container = toc.querySelector('.container')

                
                if (container) {
                    if (container.childElementCount === 0 || toc.querySelectorAll('a.item').length === 1) {
                        toc.style.display = 'none'
                            document.getElementById('docsContent').style.width = '100%'
                    }
                } else {
                    requestAnimationFrame(function () {
                        hideNav(toc)
                    })
                }
    }
})();
</script>



	</body>
</html>